<!DOCTYPE html>
<html lang="en">
<head>
	<meta charset="UTF-8">
	<meta http-equiv="X-UA-Compatible" content="IE=edge">
    <meta name="viewport" content="width=device-width, initial-scale=1">
	<title>elasticsearch-certgen | ElasticSearch 7.7 权威指南中文版</title>
	<meta name="keywords" content="ElasticSearch 权威指南中文版, elasticsearch 7, es7, 实时数据分析，实时数据检索" />
    <meta name="description" content="ElasticSearch 权威指南中文版, elasticsearch 7, es7, 实时数据分析，实时数据检索" />
    <!-- Give IE8 a fighting chance -->
    <!--[if lt IE 9]>
    <script src="https://oss.maxcdn.com/html5shiv/3.7.2/html5shiv.min.js"></script>
    <script src="https://oss.maxcdn.com/respond/1.4.2/respond.min.js"></script>
    <![endif]-->
	<link rel="stylesheet" type="text/css" href="../static/styles.css" />
	<script>
	var _link = 'certgen.html';
    </script>
</head>
<body>
<div class="main-container">
    <section id="content">
        <div class="content-wrapper">
            <section id="guide" lang="zh_cn">
                <div class="container">
                    <div class="row">
                        <div class="col-xs-12 col-sm-8 col-md-8 guide-section">
                            <div style="color:gray; word-break: break-all; font-size:12px;">原英文版地址: <a href="https://www.elastic.co/guide/en/elasticsearch/reference/7.7/certgen.html" rel="nofollow" target="_blank">https://www.elastic.co/guide/en/elasticsearch/reference/7.7/certgen.html</a>, 原文档版权归 www.elastic.co 所有<br/>本地英文版地址: <a href="../en/certgen.html" rel="nofollow" target="_blank">../en/certgen.html</a></div>
                        <!-- start body -->
                  <div class="page_header">
<strong>重要</strong>: 此版本不会发布额外的bug修复或文档更新。最新信息请参考 <a href="https://www.elastic.co/guide/en/elasticsearch/reference/current/index.html" rel="nofollow">当前版本文档</a>。
</div>
<div id="content">
<div class="breadcrumbs">
<span class="breadcrumb-link"><a href="index.html">Elasticsearch Guide [7.7]</a></span>
»
<span class="breadcrumb-link"><a href="commands.html">Command line tools</a></span>
»
<span class="breadcrumb-node">elasticsearch-certgen</span>
</div>
<div class="navheader">
<span class="prev">
<a href="commands.html">« Command line tools</a>
</span>
<span class="next">
<a href="certutil.html">elasticsearch-certutil »</a>
</span>
</div>
<div class="chapter xpack">
<div class="titlepage"><div><div>
<h2 class="title">
<a id="certgen"></a>elasticsearch-certgen<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/docs/reference/commands/certgen.asciidoc">edit</a><a class="xpack_tag" href="https://www.elastic.co/subscriptions"></a>
</h2>
</div></div></div>
<div class="warning admon">
<div class="icon"></div>
<div class="admon_content">
<h3>Deprecated in 6.1.</h3>
<p>Replaced by <a class="xref" href="certutil.html" title="elasticsearch-certutil"><code class="literal">elasticsearch-certutil</code></a>.</p>
</div>
</div>
<p>The <code class="literal">elasticsearch-certgen</code> command simplifies the creation of certificate
authorities (CA), certificate signing requests (CSR), and signed certificates
for use with the Elastic Stack. Though this command is deprecated, you do not
need to replace CAs, CSRs, or certificates that it created.</p>
<h3>
<a id="_synopsis"></a>Synopsis<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/docs/reference/commands/certgen.asciidoc">edit</a>
</h3>
<div class="pre_wrapper lang-shell">
<pre class="programlisting prettyprint lang-shell">bin/elasticsearch-certgen
(([--cert &lt;cert_file&gt;] [--days &lt;n&gt;] [--dn &lt;name&gt;] [--key &lt;key_file&gt;]
[--keysize &lt;bits&gt;] [--pass &lt;password&gt;] [--p12 &lt;password&gt;])
| [--csr])
[-E &lt;KeyValuePair&gt;] [-h, --help] [--in &lt;input_file&gt;] [--out &lt;output_file&gt;]
([-s, --silent] | [-v, --verbose])</pre>
</div>
<h3>
<a id="_description"></a>Description<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/docs/reference/commands/certgen.asciidoc">edit</a>
</h3>
<p>By default, the command runs in interactive mode and you are prompted for
information about each instance. An instance is any piece of the Elastic Stack
that requires a Transport Layer Security (TLS) or SSL certificate. Depending on
your configuration, Elasticsearch, Logstash, Kibana, and Beats might all require a
certificate and private key.</p>
<p>The minimum required value for each instance is a name. This can simply be the
hostname, which is used as the Common Name of the certificate. You can also use
a full distinguished name. IP addresses and DNS names are optional. Multiple
values can be specified as a comma separated string. If no IP addresses or DNS
names are provided, you might disable hostname verification in your TLS or SSL
configuration.</p>
<p>Depending on the parameters that you specify, you are also prompted for
necessary information such as the path for the output file and the CA private
key password.</p>
<p>The <code class="literal">elasticsearch-certgen</code> command also supports a silent mode of operation to
enable easier batch operations. For more information, see <a class="xref" href="certgen.html#certgen-silent" title="Using elasticsearch-certgen in Silent Mode">Using <code class="literal">elasticsearch-certgen</code> in Silent Mode</a>.</p>
<p>The output file is a zip file that contains the signed certificates and private
keys for each instance. If you chose to generate a CA, which is the default
behavior, the certificate and private key are included in the output file. If
you chose to generate CSRs, you should provide them to your commercial or
organization-specific certificate authority to obtain signed certificates. The
signed certificates must be in PEM format to work with the Elastic Stack
security features.</p>
<h3>
<a id="_parameters_6"></a>Parameters<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/docs/reference/commands/certgen.asciidoc">edit</a>
</h3>
<div class="variablelist">
<dl class="variablelist">
<dt>
<span class="term">
<code class="literal">--cert &lt;cert_file&gt;</code>
</span>
</dt>
<dd>
Specifies to generate new instance certificates and keys
using an existing CA certificate, which is provided in the <code class="literal">&lt;cert_file&gt;</code> argument.
This parameter cannot be used with the <code class="literal">-csr</code> parameter.
</dd>
<dt>
<span class="term">
<code class="literal">--csr</code>
</span>
</dt>
<dd>
Specifies to operate in certificate signing request mode.
</dd>
<dt>
<span class="term">
<code class="literal">--days &lt;n&gt;</code>
</span>
</dt>
<dd>
Specifies an integer value that represents the number of days the generated keys
are valid. The default value is <code class="literal">1095</code>. This parameter cannot be used with the
<code class="literal">-csr</code> parameter.
</dd>
<dt>
<span class="term">
<code class="literal">--dn &lt;name&gt;</code>
</span>
</dt>
<dd>
Defines the <em>Distinguished Name</em> that is used for the generated CA certificate.
The default value is <code class="literal">CN=Elastic Certificate Tool Autogenerated CA</code>.
This parameter cannot be used with the <code class="literal">-csr</code> parameter.
</dd>
<dt>
<span class="term">
<code class="literal">-E &lt;KeyValuePair&gt;</code>
</span>
</dt>
<dd>
Configures a setting.
</dd>
<dt>
<span class="term">
<code class="literal">-h, --help</code>
</span>
</dt>
<dd>
Returns all of the command parameters.
</dd>
<dt>
<span class="term">
<code class="literal">--in &lt;input_file&gt;</code>
</span>
</dt>
<dd>
Specifies the file that is used to run in silent mode. The
input file must be a YAML file, as described in <a class="xref" href="certgen.html#certgen-silent" title="Using elasticsearch-certgen in Silent Mode">Using <code class="literal">elasticsearch-certgen</code> in Silent Mode</a>.
</dd>
<dt>
<span class="term">
<code class="literal">--key &lt;key_file&gt;</code>
</span>
</dt>
<dd>
Specifies the <em>private-key</em> file for the CA certificate.
This parameter is required whenever the <code class="literal">-cert</code> parameter is used.
</dd>
<dt>
<span class="term">
<code class="literal">--keysize &lt;bits&gt;</code>
</span>
</dt>
<dd>
Defines the number of bits that are used in generated RSA keys. The default
value is <code class="literal">2048</code>.
</dd>
<dt>
<span class="term">
<code class="literal">--out &lt;output_file&gt;</code>
</span>
</dt>
<dd>
Specifies a path for the output file.
</dd>
<dt>
<span class="term">
<code class="literal">--pass &lt;password&gt;</code>
</span>
</dt>
<dd>
Specifies the password for the CA private key.
If the <code class="literal">-key</code> parameter is provided, then this is the password for the existing
private key file. Otherwise, it is the password that should be applied to the
generated CA key. This parameter cannot be used with the <code class="literal">-csr</code> parameter.
</dd>
<dt>
<span class="term">
<code class="literal">--p12 &lt;password&gt;</code>
</span>
</dt>
<dd>
Generate a PKCS#12 (<code class="literal">.p12</code> or <code class="literal">.pfx</code>) container file for each of the instance
certificates and keys. The generated file is protected by the supplied password,
which can be blank. This parameter cannot be used with the <code class="literal">-csr</code> parameter.
</dd>
<dt>
<span class="term">
<code class="literal">-s, --silent</code>
</span>
</dt>
<dd>
Shows minimal output.
</dd>
<dt>
<span class="term">
<code class="literal">-v, --verbose</code>
</span>
</dt>
<dd>
Shows verbose output.
</dd>
</dl>
</div>
<h3>
<a id="_examples_5"></a>Examples<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/docs/reference/commands/certgen.asciidoc">edit</a>
</h3>
<h4>
<a id="certgen-silent"></a>Using <code class="literal">elasticsearch-certgen</code> in Silent Mode<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/docs/reference/commands/certgen.asciidoc">edit</a>
</h4>
<p>To use the silent mode of operation, you must create a YAML file that contains
information about the instances. It must match the following format:</p>
<div class="pre_wrapper lang-yaml">
<pre class="programlisting prettyprint lang-yaml">instances:
  - name: "node1" <a id="CO541-1"></a><i class="conum" data-value="1"></i>
    ip: <a id="CO541-2"></a><i class="conum" data-value="2"></i>
      - "192.0.2.1"
    dns: <a id="CO541-3"></a><i class="conum" data-value="3"></i>
      - "node1.mydomain.com"
  - name: "node2"
    ip:
      - "192.0.2.2"
      - "198.51.100.1"
  - name: "node3"
  - name: "node4"
    dns:
      - "node4.mydomain.com"
      - "node4.internal"
  - name: "CN=node5,OU=IT,DC=mydomain,DC=com"
    filename: "node5" <a id="CO541-4"></a><i class="conum" data-value="4"></i></pre>
</div>
<div class="calloutlist">
<table border="0" summary="Callout list">
<tr>
<td align="left" valign="top" width="5%">
<p><a href="#CO541-1"><i class="conum" data-value="1"></i></a></p>
</td>
<td align="left" valign="top">
<p>The name of the instance. This can be a simple string value or can be a
Distinguished Name (DN). This is the only required field.</p>
</td>
</tr>
<tr>
<td align="left" valign="top" width="5%">
<p><a href="#CO541-2"><i class="conum" data-value="2"></i></a></p>
</td>
<td align="left" valign="top">
<p>An optional array of strings that represent IP Addresses for this instance.
Both IPv4 and IPv6 values are allowed. The values are added as Subject
Alternative Names.</p>
</td>
</tr>
<tr>
<td align="left" valign="top" width="5%">
<p><a href="#CO541-3"><i class="conum" data-value="3"></i></a></p>
</td>
<td align="left" valign="top">
<p>An optional array of strings that represent DNS names for this instance.
The values are added as Subject Alternative Names.</p>
</td>
</tr>
<tr>
<td align="left" valign="top" width="5%">
<p><a href="#CO541-4"><i class="conum" data-value="4"></i></a></p>
</td>
<td align="left" valign="top">
<p>The filename to use for this instance. This name is used as the name of the
directory that contains the instance’s files in the output. It is also used in
the names of the files within the directory. This filename should not have an
extension. Note: If the <code class="literal">name</code> provided for the instance does not represent a
valid filename, then the <code class="literal">filename</code> field must be present.</p>
</td>
</tr>
</table>
</div>
<p>When your YAML file is ready, you can use the <code class="literal">elasticsearch-certgen</code> command to
generate certificates or certificate signing requests. Simply use the <code class="literal">-in</code>
parameter to specify the location of the file. For example:</p>
<div class="pre_wrapper lang-sh">
<pre class="programlisting prettyprint lang-sh">bin/elasticsearch-certgen -in instances.yml</pre>
</div>
<p>This command generates a CA certificate and private key as well as certificates
and private keys for the instances that are listed in the YAML file.</p>
</div>
<div class="navfooter">
<span class="prev">
<a href="commands.html">« Command line tools</a>
</span>
<span class="next">
<a href="certutil.html">elasticsearch-certutil »</a>
</span>
</div>
</div>

                  <!-- end body -->
                        </div>
                        <div class="col-xs-12 col-sm-4 col-md-4" id="right_col">
                        
                        </div>
                    </div>
                </div>
            </section>
        </div>
    </section>
</div>
<script src="../static/cn.js"></script>
</body>
</html>